Links

Sunday, August 30, 2009

Using Burp Intruder to brute force login

Inspired by a little tweet I saw from @carnal0wnage, I've decided to make today's "Burp Tip of the Day" about brute forcing a login with Burp Suite's Intruder. As always, this goes a lot faster if you purchase the professional version of Burp here. However, this also works for the free version but much slower.

So, lets get started!

First thing first, send a request to the target site entering a username and password combo. I chose pma_username=test and pma_password=test. Intercept that request, right click and send to intruder like so.

Once you have the request sent to burp 'Intruder' you need to choose your targets for the intruder payload. You can do this by clicking the 'add' button and putting the '$' symbol around the username and password as shown in the example. Also choose the 'cluster bomb' attack type (circled in the example).

Next step is to roll over to the Intruder > Payloads tab. You will have two separate payload sets. Set 1 and Set 2 (easy right?). So in payload Set 1 you choose "preset list" click 'load' and upload the user_name file (containing....ya you guessed it). It should look like so:

Next, click payload set 1 and drop down to payload set 2. You remain using a preset list and click 'load' to upload the password file. It should look like so:

At this point you are ready to rock. Just in case the password submission is using Basic Authorization (aka Base64) you can choose to base64 encode the data by choosing the option in the Intruder > payload section near the bottom. So go to the very top, drop down intruder, and click start. All in all the results should look something like this:

Generally when the length differs greatly or the response code differs you have a pretty good sign that you've hit the mark! Hope this helps someone.

If you're doing a Basic Auth attack using this technique, you can't use cluster bomb as you need to encode a single payload and you can't do this with two separate payloads as you cant easily predict padding character inclusion.(in base64 the same characters will be encoded differently depending on their position within the three-octet group which is encoded to produce the four characters. Well annoying. I'm trying to sort a way of doing it that doesnt require hardcoding the username with a colon suffix.